SOLARIS 10 SECURITY. Technical Overview. Andreas Neuhold Systems Practice Lead Austria Sun Microsystems, GesmbH



Similar documents
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

An Oracle White Paper August Using Oracle Solaris 10 to Overcome Security Challenges

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Practical Solaris 10 Security Glenn Brunette

Enabling SSL and Client Certificates on the SAP J2EE Engine

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

OracleAS Identity Management Solving Real World Problems

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Cloud Security:Threats & Mitgations

ontune SPA - Server Performance Monitor and Analysis Tool

SECURITY COMPARISON BETWEEN IBM WEBSPHERE MQ 7.5 AND APACHE ACTIVEMQ 5.9

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

MySQL Security: Best Practices

Defense In-Depth to Achieve Unbreakable Database Security

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Security Considerations White Paper for Cisco Smart Storage 1

BM482E Introduction to Computer Security

Oracle Solaris: Aktueller Stand und Ausblick

owncloud Architecture Overview

DiamondStream Data Security Policy Summary

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Did you know your security solution can help with PCI compliance too?

Axway Validation Authority Suite

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

STEALTHbits Technologies, Inc. StealthAUDIT v5.1 System Requirements and Installation Notes

Steelcape Product Overview and Functional Description

Hardening MySQL. Maciej Dobrzański maciek at

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

WebSphere DataPower Release FIPS and NIST SP a support.

ipad in Business Security

User's Manual. Intego Remote Management Console User's Manual Page 1

HP A-IMC Firewall Manager

Windows Remote Access

Guardium Change Auditing System (CAS)

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev Seite 1 von d Seite 1 von 11

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Künftige Cyber-Attacken: Risiken und Techniken. Future Cyber attacks: Risks and techniques. Prof. Dr. T. Nouri sd&m

Compliance and Security Challenges with Remote Administration

REDUCE RISK WITH ORACLE SOLARIS 11

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

Securing Data in Oracle Database 12c

iphone in Business Security Overview

Security Enhanced Linux and the Path Forward

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

SafeNet DataSecure vs. Native Oracle Encryption

Deploying iphone and ipad Security Overview

FileCloud Security FAQ

Guidance Regarding Skype and Other P2P VoIP Solutions

Security Advice for Instances in the HP Cloud

PowerSC Tools for IBM i

GoodData Corporation Security White Paper

Xerox DocuShare Security Features. Security White Paper

Management, Logging and Troubleshooting

Alliance Key Manager Solution Brief

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Integrigy Corporate Overview

SNAP: Secure Network Access Partnering

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

Enterprise Security Critical Standards Summary

End to end security for WebSphere MQ

IBM Crypto Server Management General Information Manual

FEATURE COMPARISON BETWEEN WINDOWS SERVER UPDATE SERVICES AND SHAVLIK HFNETCHKPRO

QuickStart Guide for Managing Computers. Version 9.2

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

SonicWALL PCI 1.1 Implementation Guide

CLOUD SECURITY: THE GRAND CHALLENGE

Where can I install GFI EventsManager on my network?

Nixu SNS Security White Paper May 2007 Version 1.2

Solaris For The Modern Data Center. Taking Advantage of Solaris 11 Features

Bastille Linux: Security Through Transparency

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Network Incident Report

NetBrain Security Guidance

Protecting Sensitive Data Reducing Risk with Oracle Database Security

SCP - Strategic Infrastructure Security

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Complying with PCI Data Security

Central Agency for Information Technology

HOB Remote Desktop VPN Secure access for remote workers and business partners to your enterprise network

Computer Security: Principles and Practice

White Paper How Noah Mobile uses Microsoft Azure Core Services

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

Thick Client Application Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Where can I install GFI EventsManager on my network?

QuickDNS 4.6 Installation Instructions

Transcription:

SOLARIS 10 SECURITY Technical Overview Andreas Neuhold Systems Practice Lead Austria Sun Microsystems, GesmbH

Solaris 10 Lizenzen Millions ~ 7M ZFS 7,0 6,5 6,0 5,5 Solaris Container 5,0 4,5 4,0 3,5 3,0 DTrace x64 / x86 2,5 2,0 1,5 1,0 0,5 0,0 3/05 4/05 5/05 6/05 7/05 8/05 9/05 10/05 11/05 12/05 1/06 2/06 3/06 4/06 5/06 6/06 7/06 8/06 9/06 10/06 11/06 12/06 1/07 #2

~ 7 Mio. registrierte Lizenzen 125 Performance Weltrekorde 800+ x64/x86 Plattformen unterstützt 6800+ ISV Anwendungen verfügbar Hunderte OpenSource Anwendungen integriert und unterstützt Enthusiasmus der Kunden und Partner für Solaris 10 #3

Solaris Security New New Digital Certificates Everywhere IP Filter Firewall Secure Execution User & Process Rights Mgmt. Cryptographic Framework Secure By Default Networking Trusted Extensions Solaris 10 Operating System #4

Agenda: Solaris 10 Security Process and User Rights Management Network Security and Encrypted Communications Password Management and Auditing Container Security File Integrity Validation Minimization and Hardening Labeled Security Security Certification #5

Process & User Rights Management

Reduce Application Privileges Process Rights Management allows you to distribute rights among applications with finer granularity: Eliminates need to run applications as super user Reduces customer exposure to security attacks Compatible with existing applications Always turned on #7

Process Rights Management = Least Privileges minimale Privilegien für Prozesse > Aufgabe von "alles oder nichts" Rechtevergabe > root vs. Rest der Nutzer > meist wird nur ein Bruchteil benötigt > Device Zugriff > reservierte Netzwerkports > RT Priorität #8

PRM Example: Apache Web Server net_priv_addr proc_fork proc_exec Super User Service Manager ('webserved') Web Server #9

User Rights Management User Rights Management allows you to distribute rights to management roles with finer granularity. Users can then assume these rolls. Decomposes super user role Roles stored in naming service for centralization Auditing records 'real' user no anonymous admin! # 10

User Rights Management Software Installation Dtrace Debugging Developer Audit Review File Integrity Verification Internal Auditor System Administrator Backup Operator Super User User Rights Management Sys. Admin. User Roles # 11

Network Security & Encrypted Communications

Network Protection Solaris Security now provides even tougher defenses for your network. New IP Filter Firewall > Allows selective access to ports based on IP > Compatible/manageable like open source IPF TCP Wrappers > Limits access to TCP/UDP service using domain name > Permits selective access for partners, suppliers, etc... Secure By Default Network > Disables or protects many network services from attack > Minimizes network exposure of system # 13

Cryptographic Framework Commercial App PKCS 11 Open Source Web Server Sun Java Web Server Java VM Application OpenSSL NSS Java Enterprise System JCE Java Crypto. Extensions Consumer Interface (PKCS 11) User-Level Cryptographic Framework Provider Interface (PKCS 11) Sun Software Crypto. Plug-in (DES, 3DES, AES, Blowfish, RSA, MD5, SHA_, RC4) Hardware Accelerator UltraSparc T1 Hardware Crypto. Accelerator 6000 Now the framework for cryptography is standardized and extensible. Your current cryptographic choices and any future technology can easily plug in and just work. 'Unbreakable' cryptographic strength Standards-based framework Same API, software or hardware Extensible for future technologies # 14

Secure Remote Access Solaris Secure Shell Standards-based encrypted remote access Kerberos Single Sign On Standards-based enterprise single sign on IPSec/IKE Transparently encrypted communications between systems; no app modification Remote Worker Internet Apps & Data # 15

Password Management & Auditing

Password Management Solaris adds more layers of password security Password Complexity Checks Password History (0 26 passwords) Banned Password List (Dictionary) Compliments LDAP-based password controls for nonlocal accounts # 17

Solaris System Auditing Records and monitors everything that happens on the system User Access Computer Possible Intrusion Date Selected Log Records who did what, when and how Exports audit records to XML format for analysis by tools or intrusion detection systems Essential for Audit and Compliance Officers # 18

Container Security

Container Security Reduce risk by isolating applications in separate containers yet administer centrally Containers provide file, network, process, and resource isolation Administer from a single Global Zone App Server Web Server DB Server Application OS Server # 20

File Integrity Validation

File Integrity Verification Tools Basic Audit and Reporting Tool (BART) > Generate checksums; compared periodically Solaris Fingerprint Database > Validate your system today using: > sunsolve.sun.com Solaris Secure Execution Provides tools to validate the OS and your data to catch hackers in action. # 22

Solaris Secure Execution Provides real-time verification of OS components to prevent virus outbreaks or use of unauthorized applications Solaris 10: Most digitally signed OS on the planet Manually verify systems today with 'elfsign' Future update will verify integrity at load time Prevents unauthorized applications and patches Helps meet auditing requirements # 23

Solaris Minimization & Hardening

Solaris Minimization 191 MB Reduce risk by using the Reduced Networking Metacluster: Small install of Solaris with no network services > Nothing listening to network to be attacked! Basic building block turn on only what you want Save disk space 191 MB vs. 3 GB Used during manual or jumpstart install of Solaris # 25

Hardening: Secure By Default Networking Reduce exposure by limiting how system listens for network connections Turns off many services or sets them to 'local only' Uses Solaris Service Manager to turn on only what is needed for use Only Solaris Secure Shell listening to the network Fully functional desktop impervious to external attack # 26

More Options for Securing Solaris Solaris Security Toolkit v 4.2 Hardening > Sets secure system parameters > Allows undo of previously applied hardening Minimize during install > Uses repeatable profiles > Jumpstart integration Download Today: www.sun.com/blueprints # 27

Labeled Security

Solaris Trusted Extensions New Adds labeled security to Solaris 10 Multi-level networking, printing Multi-level Interfaces Leverages User & Process RM Uses Containers Runs all Solaris applications High level of certification Solaris 10 Operating System # 29

Solaris Trusted Extensions Feature ab Solaris 10 11/06 Zielsetzung > > > > Daten nach Sicherheitslevel isolieren Netzwerk Datenfluß einfach reglementieren Erfüllung von Sicherheitsrichtlinien Alle Solaris Anwendungen bleiben lauffähig (= Solaris) Labeled Security für Solaris 10 > Multi-Level Networking, Printing, GUI > CAPP, RBACPP, LSPP @ EAL 4+ Mandatory Access Control basierend auf Label # 30

Solaris Trusted Extensions All objects are labeled, based on sensitivity Access governed by label hierarchal relationship Commercial Hierarchy Government Hierarchy Non-Hierarchical Executive Management Top Secret VP and Above Directors All Employees Trusted Extensions Secret Net Inc. Music Online Daisy's Florists Solaris 10 or Trusted Extensions Confidential Classified Trusted Extensions Mandatory Access Control & Security Labels # 31

Security Certification

Independent Validation 3rd Party Certifications EAL4+ (C2) (CAPP & RBACPP) EAL3 or EAL3+ SGI Irix SuSE RedHat SuSE IBM AIX Windows 2003 Solaris 8 HP-UX Solaris 9 EAL4 or EAL4+ (C2) (CAPP) Solaris 10 Trusted Solaris 8 Solaris 10 w/trusted Extensions* EAL4+ (B1) (CAPP, RBACPP, LSPP) Based on data from http://www.commoncriteriaportal.org/ # 33

SOLARIS 10 SECURITY Technical Overview

Access Control Enforced Everywhere Stripe showing 'Restricted' Stripe showing 'Internal' Attempts to 'drag-and-drop' data between windows fails because user is not authorized to do so. Enforced when transferring data anywhere to anything on the system. # 35

Trusted Java Desktop System Details World's only labeled GNOME-based interface shipped with an OS Workplace Switcher NEW Task Switcher Trusted Stripe and Trusted Path Menu # 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information